What’s Your Share of the Shared-Responsibility Model in Cloud Security?
When companies move to the cloud, it’s crucial that they know where the provider’s security role ends and where theirs begins.
The shared-responsibility model is one of the basic tenets of a successful public cloud deployment, and often the least understood. It requires vigilance by the cloud provider and customer—but in different ways.
Amazon Web Services (AWS), which developed the shared-responsibility philosophy as it introduced the public cloud, describes it succinctly as, “knowing the difference between security in the cloud versus the security of the cloud.”
This model, which is radically different from how organizations are used to securing their own data centers, often creates a “disconnect” for newer cloud consumers. Their first question is often, “Is the cloud secure?”
The real question is, “Is the cloud being used securely.”
The security of the cloud refers to all the underlying hardware and software: compute, storage and networking, in both the customer’s and the provider’s environments. But the cloud provider takes care of theirs; the customer takes care of theirs.
The configuration of the foundational services are in the hands of the customer, including the likes of: customer data; apps and identify and access management; operating system patches; network and firewall configuration; data and network encryption.
PTP can certainly assist in these areas, but it’s ultimately up to the customers to set policies and track things. (Although we can help with this, too.)
Many companies that use a primary public cloud provider turn to third-party companies to help them fill in the gaps in their own skillsets and augment the tasks required to properly manage a cloud environment. This spreads-out the accountability for the “care and feeding” of the overall IT infrastructure. That’s why Cloud Managed Services are gaining immense popularity right now.
Bottom line: Even though there’s a shared responsibility, you will still have workloads of which you need to be aware. If you are going to put your critical systems, processes, workflows and infrastructure out there in the cloud, you’d better have a plan for backing it up on your end.
There is such a common misunderstanding of the shared-responsibility model in the cloud that PTP has spoken about it extensively at AWS Community meetings, lunch-and-learns and other industry events. If you are interested in seeing the presentations, we’d be happy to share them with you.